The beginning of an infection chain starts with a legitimate website with injected code from a file sent by of its URLs. The URL most often ends with a .js. The injected code is highly-obfuscated, and I was unable to figure out where it came from on the legitimate site when I generated an infection in my lab. The end result looked like the image below.

The downloaded zip archive contained a JavaScript file with heavily obfuscated Javascript. This happened when I used Firefox as my web browser. If you use Google Chrome, the fake browser page sends an HTA file instead of a zip archive. In my example, the fake Firefox update page sent a zip archive containing a file named Firefox.js for the malware downloader.

Shown above: The downloaded zip archive and extracted .js file.

Infection traffic

Infection traffic was typical of what I've seen before with this campaign. The malware downloader is very picky. It knows which machines I've infected before, so when I use a computer that I've infected once or twice before, it won't deliver the follow-up malware. Also, this .js-based downloader (or HTA-based downloader if you had a fake Chrome update page) is extremely VM-aware. It's rare for me to get a full infection chain of events. In this case, I got the fake browser update page on one computer, then I switched to another computer to get Firefox.js to deliver the follow-up malware.

Shown above: Gate URLs and a fake Firefox update page from the SocGholish campaign shown in a Fiddler capture.

Shown above: Gate domain and fake Firefox update page from the SocGholish campaign from a pcap shown in Wireshark.

Shown above: Traffic from infecting a host with the Firefox.js file.

Shown above: Data returned from the server contacted after running Firefox.js on my lab host.

This NetSupport RAT-based malware package was sent as a 10MB ASCII text file consisting of hexadecimal characters. This is encoded data, and the file was saved to my lab host and decoded to a zip archive containing the malware package. This ASCII data and decoded zip archive were deleted from my infected lab host by the time I performed post-infection forensics.

Post-infection forensics

The NetSupport RAT-based malware package was kept persistent through the Windows registry and stored in a folder under the infected user's AppData\Roaming directory.

Computers running Windows 10 with the latest updates and recommended security settings are not very vulnerable to this threat. Default security settings for Chrome and Firefox usually block this activity. However, the criminals behind this campaign keep updating their tactics as they attempt to evade detection, and these fake browser pages sometimes slip through. If someone clicked through enough security warnings, they might very well infect a vulnerable Windows host.

The associated malware, along with a pcap and Fiddler capture of the traffic (.saz file) can be found here.